search

clang-randstruct / llvm-project

Randomize the order of fields in a structure layout as a compile-time hardening feature
3 stars 1 forks source link

No randomization on MacOS #21

Closed connorkuehl closed 5 years ago

connorkuehl commented 5 years ago

Cole and Jordan are experiencing lack of randomization on their macOS Mojave and macOS (very old) systems respectively.

They are using the most up-to-date develop branch.

Our fork of Clang appears to be supporting the randomize_layout attribute (since it does not emit a warning when it finds it), but field randomization is not occurring when you look at the output of our poc.c program.

Nixoncole commented 5 years ago 
NixonCole@Coles-MacBook-Pro-2 ~/clangRandStruct/clang-randstruct-testing/poc (master) $ make
/usr/bin/clang -g -Wno-format poc.c -o reg
poc.c:6:54: warning: unknown attribute 'randomize_layout' ignored [-Wunknown-attributes]
}__attribute__((no_randomize_layout)) __attribute__((randomize_layout));
                                                     ^
poc.c:6:17: warning: unknown attribute 'no_randomize_layout' ignored [-Wunknown-attributes]
}__attribute__((no_randomize_layout)) __attribute__((randomize_layout));
                ^
2 warnings generated.
/Users/NixonCole/clangRandStruct/llvm-project/build/bin/clang -g -Wno-format poc.c -o rand
poc.c:6:17: warning: unknown attribute 'no_randomize_layout' ignored [-Wunknown-attributes]
}__attribute__((no_randomize_layout)) __attribute__((randomize_layout));
                ^
1 warning generated.
NixonCole@Coles-MacBook-Pro-2 ~/clangRandStruct/clang-randstruct-testing/poc (master) $ ./reg
0 first
8 second
NixonCole@Coles-MacBook-Pro-2 ~/clangRandStruct/clang-randstruct-testing/poc (master) $ ./rand
0 first
8 second
NixonCole@Coles-MacBook-Pro-2 ~/clangRandStruct/clang-randstruct-testing/poc (master) $
connorkuehl commented 5 years ago

Here are some pastes of the compiler output when running as verbose:

Currently trying to investigate the differences between the two.

connorkuehl commented 5 years ago

We're narrowing in on std::shuffle() and std::default_random_engine{} on Cole's Mac environment. We removed those in testing and have manually performed iterator swapping and are seeing fields moving around.

Worth noting that when Cole updated his Clang toolchain additional steps were followed for include paths which involve changing environment variables in his bashrc. If the standard libraries are getting fuzzy here, they're not reporting any errors; just failing silently. Could this be a toolchain issue? Looking into reinstalling toolchain.

connorkuehl commented 5 years ago

So it appears to be working on Mac. Our leading theory is that the default random engine is implementation defined, so we observe the following:

On Linux, we get a seed that results in always shuffling the simple structure of two char*.

On Mac, the engine produces a seed that results in the original order of the simple structure of two char*.

By adding more data members to the structure, we observed fields moving around with the original code.

False alarm :sweat_smile:

Let's update the test file to have more varied structures.